How to connect SAP solutions running on AWS with AWS accounts and services
Connectivity and data exchange between different services and PaaS or SaaS solutions are important in today’s IT infrastructure. We hear from AWS customers who are using SAP services such as HANA Enterprise Cloud (HEC), RISE with SAP or SAP Business Technology Platform (BTP), that they wish to leverage the connectivity services provided by AWS to reduce complexity and costs while improving security and performance.
Customers require connectivity from on-premise to SAP’s solutions running on AWS – both for hybrid setups, where workloads and interfaces are in customers’ on-premise data centers or simply for user access to consume and connect to the SAP solutions. But also, to exchange data between SAP solutions and other services running on AWS. In this blog you are going to learn about the connectivity options for common SAP services running on AWS.
I want to explain the different options to setup the network connection from on-premise to the SAP solutions like SAP HANA Enterprise Cloud (HEC), RISE with SAP, SAP Business Technology Platform (BTP), SAP Analytics Cloud (SAC), SAP Data Warehouse Cloud and SAP HANA Cloud. In addition, I’m also going to show how to connect from a customer managed AWS accounts (named as “customer managed AWS account” in the following text) to the AWS account managed by SAP (named as “SAP managed AWS account”). This connection is important for customers who are already running on AWS and want to re-use the existing connectivity into AWS to connect planned and future SAP solutions with AWS services.
I won’t cover technical details about AWS network technology, but rather focus on how to connect to the mentioned SAP services above.
Depending on the SAP product, there are different connectivity options, which I want to describe in more detail:
SAP HANA Enterprise Cloud (HEC) / RISE with SAP
SAP HANA Enterprise Cloud (HEC) and RISE with SAP are SAP services, running on AWS and are offered in different AWS regions. As of today, SAP has enabled 17 out of 25 AWS regions for this offering, and there are more to come. AWS offers different options to connect to your Amazon Virtual Private Cloud (VPC). Both managed services are considered as private cloud offering, thus requiring a private connection – AWS provides several options for private connectivity. The connectivity options supported by SAP are based on an AWS VPN connection and AWS Direct Connect.
An easy and cost-efficient way to connect to the hosted SAP system on AWS, is to connect via AWS Site-to-Site VPN. AWS Site-to-Site VPN creates encrypted tunnels between your network and your Amazon Virtual Private Clouds or AWS Transit Gateways. Traffic between on-premise and AWS is encrypted via IPsec and transferred through a secure tunnel, using the public internet. The advantages of an AWS VPN connection are the efficient and fast implementation, as well as lower costs compared to a direct connect.
AWS Direct Connect
If you require a higher throughput and a more consistent network experience than internet-based connection, you can use AWS Direct Connect to connect between on-premises and the AWS cloud.
AWS Direct connect is offered by multiple partners and you can select from a range of bandwidth and implementation options. More information about the connectivity options can be found in the AWS Whitepaper Amazon Virtual Private Cloud Connectivity Options and resiliency are documented at AWS Direct Connect Resiliency Recommendations.
The direct connect providers, uses dedicated, private network connections between customers’ intranet and Amazon VPC. The traffic is not routed through the internet and provides a more reliable bandwidth and throughput compared to VPN.
You can also leverage an existing AWS Direct Connect, used for other workloads on AWS for example, to connect to the SAP managed AWS account. Therefore, the connection just needs to be extended by a virtual private gateway in the SAP managed AWS account to connect to the private virtual interface (VIF) or to the Direct Connect Gateway.
Connectivity between AWS accounts
HEC and RISE with SAP are running in AWS accounts, managed and owned by SAP. However, you can create your own AWS account for additional workloads and to use native AWS services. There are two options to connect the SAP managed AWS account with your customer managed AWS account:
1. VPC Peering
Virtual Private Cloud (VPC) peering is a network connection between two VPCs, which enables traffic flow using private IPv4 addresses or IPv6 addresses. Instances can communicate with each other as if they were in the same network.
To peer two VPC, the defined IPv4 Classless Inter-Domain Routing (CIDR) block must not overlap, otherwise the peering connection will fail. It’s recommended to align with SAP to defined the CIDR rages and to make sure, the SAP managed rages fit into your network concept. Once the peering connection is requested, SAP needs to accept the peering connection in their AWS VPC.
VPC peering is a one-to-one connection between VPCs. If you require direct communication to the managed SAP service with multiple VPCs, you need to setup multiple peering connections. With many of AWS accounts and VPCs this might become complex and hard to manage, that’s why option 2 (see below) should be considered for such scenarios.
VPC peering works also across AWS regions. So, it’s possible to peer a customer account running in eu-west-1 with the SAP account in eu-central-1 for example. All inter-region traffic is encrypted with no single point of failure, or bandwidth bottleneck. Traffic always stays on the global AWS backbone, and never traverses the public internet, which reduces threats, such as common exploits and DDoS attacks.
Another benefit, beside the simple setup and the cross-region capabilities, are the lower costs for VPC peering compared to the AWS Transit Gateway or routing the traffic via on-premise. Recently AWS announced a pricing change for VPC peering. Starting May 1st 2021, all data transfer over a VPC Peering connection that stays within an Availability Zone (AZ) is now free.
You can request the AZ ID from SAP to make sure it is the same as the AZ ID used in the customer managed AWS account.
2. AWS Transit Gateway
The second option to connect two or more AWS accounts is by using AWS Transit Gateway. AWS Transit Gateway is a network transit hub which can be used to interconnect Amazon VPCs. It acts as a cloud router and the connection between the SAP managed AWS account, only needs to be established once. Complex peering setups can be resolved and simplified by implementing AWS Transit Gateway as a central communication hub.
To connect the SAP managed AWS account, you need to create the AWS Transit Gateway in your own AWS account and share it with the SAP managed AWS account. Afterwards, SAP can attach the VPC for the managed SAP service to the AWS Transit Gateway and enable traffic flow through an entry in the route table. With this setup you keep control about traffic routing, because the AWS Transit Gateway resides in your own account where it can be managed.
To connect multiple VPCs across AWS accounts and AWS regions, you can establish a peering connection between multiple AWS Transit Gateways in different regions.
By using peering between AWS Transit Gateways across regions, the traffic also stays within the AWS network and the same considerations as described in the VPC peering option apply. This is also valid for the non-overlapping IPv4 CIDR ranges for the different VPCs.
In case you are using an AWS Transit Gateway in combination with an AWS Direct Connect, you can also use this setup to route traffic from the SAP managed AWS account to on-premise and vice versa and to connect between AWS accounts.
SAP Business Technology Platform
SAP Business Technology Platform (BTP) offers a variety of different services and provides different environments, such as Cloud Foundry, ABAP, and Kyma. All three environments are running on AWS – Kyma is the latest release from April 24. As of today, SAP BTP is available in 9 commercial AWS regions.
To connect to the BTP services, you can access the public endpoints via the internet. If you require a more consistent network experience, AWS Direct Connect is also available, to connect to the BTP platform. However, the direct connect is established between the on-premise network and the public AWS endpoints. For HEC and RISE with SAP the AWS direct connect is using a private virtual interface, which accesses resources in the VPC and connects to the private IP address of the resources. To access BTP via AWS direct connect you need to connect to public IP address, using the public virtual interface. To learn more about these differences, please refer to the AWS knowledge center.
A step-by-step guide, how to setup the direct connect is described in the SAP blog Accessing SAP Cloud Platform via AWS Direct Connect.
SAP Cloud Connector
To connect BTP services with SAP systems running on AWS, the SAP Cloud Connector (SCC) is the recommended solution. The SAP Cloud Connector establishes a secure communication between BTP services and the SAP systems, without exposing the SAP System to the internet. It is not required to open inbound connections in the security groups and using reverse proxies in the DMZ to establish access to the SAP systems. The SAP Cloud Connector acts as a reverse invoke proxy and establishes a persistent TLS tunnel to SAP BTP sub-accounts. The attack surface is reduced with this architecture, because the backend SAP systems are not visible to the internet.
The SAP Cloud Connector offers a software-based HA implementation to protect against failures, or you implement the connector in an Amazon EC2 autoscaling group, to protect against EC2 instance failures as shown in the architecture picture below.
SAP Data Warehouse Cloud, SAP Analytics Cloud and SAP HANA Cloud
These are all SaaS or PaaS Solutions, offered via SAP BTP and are running in a multi-tenant environment. That’s why it’s not possible to establish a one-to-one connection between the on-premise network or a customer managed AWS account and the SAP managed AWS account VPC of the SaaS/PaaS solution. VPC peering or AWS Transit Gateway can’t be used to connect these solutions with additional AWS accounts. However, the same connectivity principle as for BTP connectivity applies.
You can use the SAP Cloud Connector to connect to SAP systems, running on AWS like S/4HANA or BW/4HANA for example. In addition to the direct backend integration with the SAP Cloud Connector, all three services offer a direct integration to a variety of AWS services, like Amazon S3 for example.
SAP HANA Cloud can connect to Amazon S3 and Amazon Athena.
For managed offerings like HEC and RISE with SAP, VPC Peering is a simple and efficient way to connect the customer managed AWS accounts with the SAP managed AWS account, where the SAP Services run. AWS Transit Gateway is a good solution for more complex network setups and to connect the SAP managed AWS account with a large number of other AWS accounts and VPCs. Customers need to consider, that the AWS Transit Gateway can only reside in the customer AWS account.
Customers can leverage existing connections to AWS via AWS VPN or AWS Direct Connect and connect AWS resources with the described connectivity options. It is recommended to use the AWS to AWS communication and not route traffic via on-premise if it’s not required. With that you benefit from AWS network speed, latency, and security.
SAP BTP services offer public interfaces, and you can connect with the SAP Cloud Connector in a secure way, via TLS-encryption to the multi-tenant services offered by SAP BTP.
To learn why AWS is the platform of choice and innovation for 5000+ SAP customers, visit aws.amazon.com/sap.